StumpedTechy
MIS
Okay I know you can do something like this -
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Application' and " _
& "EventCode = '1202'")
This returns any event codes that have this 1202 event code in the Application log.
Now for the part I need help with. How would one modify this to look for 2 event codes, make sure the 2 event code time stamps are the same date/time, AND ensure this was not a singular problem E.G. occuring for more than a few hours if not days.
Here is the situation, we have some PC's that have bad secedit.sdb files in the C:\windows\SECURITY\Database directories.
The main symptom that all these PC's exhibit are 2 event logs back to back at the same timestamp that are 1202 and 1085. The next problem is this will reoccur every 3 hours when the PC is on and has tried to get a gpupdate from the server. The final problem is I don't want this to do anything if it finds just 1 or 2 occurances (should be ongoing in 3 hour increments) as this could potentially be a problem server side for one or 2 problems updating.
So in short I need to query wmi for 2 event logs ensure they are the same date/time and ensure they have occured for at least 3 instances or 9 hours possibly up to a day or 2.
The problem is I don't know how to search WMI that specifically or if it can even be done.
As much as I would love to do a blanket C:\windows\SECURITY\Database\secedit.sdb deletion this isn't what my bosses would like and won't accept.
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Application' and " _
& "EventCode = '1202'")
This returns any event codes that have this 1202 event code in the Application log.
Now for the part I need help with. How would one modify this to look for 2 event codes, make sure the 2 event code time stamps are the same date/time, AND ensure this was not a singular problem E.G. occuring for more than a few hours if not days.
Here is the situation, we have some PC's that have bad secedit.sdb files in the C:\windows\SECURITY\Database directories.
The main symptom that all these PC's exhibit are 2 event logs back to back at the same timestamp that are 1202 and 1085. The next problem is this will reoccur every 3 hours when the PC is on and has tried to get a gpupdate from the server. The final problem is I don't want this to do anything if it finds just 1 or 2 occurances (should be ongoing in 3 hour increments) as this could potentially be a problem server side for one or 2 problems updating.
So in short I need to query wmi for 2 event logs ensure they are the same date/time and ensure they have occured for at least 3 instances or 9 hours possibly up to a day or 2.
The problem is I don't know how to search WMI that specifically or if it can even be done.
As much as I would love to do a blanket C:\windows\SECURITY\Database\secedit.sdb deletion this isn't what my bosses would like and won't accept.
